One of the oftentimes-handy things about Amazon Linux, at least in it's default mode when spinning up from standard AWS-provided AMIs, is that it installs all available security updates. What makes it less handy is that - if this includes a kernel update - the necessary reboot to actually load the updated kernel will not happen.

Googling around you'll find various solutions for this, with various levels of convolution / hackiness. However, this is actually pretty straightforward to deal with in recent versions of Amazon Linux / Red Hat / CentOS which include the needs-restarting tool in the yum-utils package.

It can be used to determine that a reboot is necessary as easily as:

$ needs-restarting -r
Core libraries or services have been updated:
kernel -&gt;4.14.77-69.57.amzn1
Reboot is required to ensure that your system benefits from these updates.
More information:
https://access.redhat.com/solutions/27943

Here's what it looks like when a reboot is not necessary:

$ needs-restarting -r
No core libraries or services have been updated.
Reboot is probably not necessary.

You can include this in an EC2 instance's first boot by adding it to user data. Perhaps something like:

This specific formulation will stop the userdata script mid-execution so it should be inserted at a sensible point. Consider copying all or part of your user data script into /etc/rc.local to have it run at every boot instead of just the first.